THREATCON off the meter this time! Apparently every vuln scanner company in the world is infringing on propriety technology and will be taken to court! Like.. can I appear as a witness in these courts? I can provide documentation, and show prior art for all of these "things". Definately not the code of FS, but certainly other public implementations in the "broad scope of generalizations" they are making. Are they trying to argue a patent or a copyright I wonder? Do they know the difference? OH.. I might be held as slightly biased, since one of the reasons for the FS action, is that NTO (NT Objectives, Inc) are actually doing work in the industry, thus FS are rather pissed off. 1) Foundstone's propriety methods and databases for operating system identification, which include techniques for information, displaying and controlling the status of scans, managing user and administrative roles within web interface, and searching the propriety database for relevant vulnerability information. [ prior art. much documentation is available on-line, for OS detection though with varying levels of excellence ;-). Techniques for information, displaying and controlling the status of scans, managing user and .. roles within web interface. Prior art, and its silly to think that no-one would do this if they ever tried to implement a scanner. ] 5) Foundstone's propriety web modules for vulnerability testing of web servers which includes "crawling" a web site for links, inventorying the technologies in place, "brute forcing" authentication mechanisms to unearth easy-to-guess passwords, guessing the names of existing but not readily linked-to files, testing for poor script input validation, and testing of source code disclosure. [ prior art. I've implemented or worked with all of that stuff also. the "guessing names" part, we call URL mutation. input validation is also generally known as Fuzzing. ] 6) Foundstone's propriety methods and databases for reporting vulnerability results over time including an objective security scoring mechanism, a breakdown of network inventory by live hosts, services open, a vulnerability network map, operating systems running, vulnerabilities found, web module analysis, and trending of these results over time. [ known as trend analysis. scoring mechanisms.. i believe you stole that from my own patented THREATCON levels, which I will hold you know actionable against. seriously.. been done in all vuln scanners since basically the beginning. Is it that you are basically claiming a patent(?) on prioritization and categorization of results? ] These technologies are not generally known to the public or to those who could obtain economic value from their disclosure or use. As discussed, Foundstone created those technologies only though investing 80,000 person hours and $4,000,000 of research and development. [ incorrect. prior art on all of this. FS created an implementation, and possibly much funky stuff, but certainly not such a broad catgerozation that you claim. I will say that FoundScan is nice, and obviously shows much skill in what they have, but they cannot claim that they own the entire MVA industry. I believe they own their copyrighted works, but they are basically saying above, that no-one can implement anything related to scanning, because "MVA is what we sell"! The general techniques above are being used throughout the entire world for scanning; many done by non business models, showing that these techniques do not require the $4M they claim. Definately milage varies between the good and the bad products out there - but thats what competition is about! I've worked in the managed vulnerability assesment indsustry for a number of years.. You know how much code goes into these things? It's ALOT. The technology is definately advancing, but the concepts of scanning from a business perspective are pretty straight forward. You "manage" vulnerabilities from target networks quickly in an easy to digest format, that gives you value in terms of "managed" security on your networks. This obviously relates to such things, as --> * "scanning" (lets find some vulnerabilities), * "database storage of your clients vulnerabilities" (depends on how much info you want to store, sometimes you just store data for trend analysis). * "database storage for your clients" (such as what/where/when etc they scan, histories, preferences, etc.. what did this client want to scan again? at what time.. did he/she have any specific preferences for the scan). * "database storage for your vulnerabilities" (how many vulns can you store before remembering them from the top of your head gets hard). * "A presentable format" (erm.. so whats the difference between a remote root and information leakage? do customers want to know the difference? most advisories do this, so why not show it in a report also). * "Are things good/bad for the client" (well.. last week they had 100 vulns on their network, this week 5.. perhaps we should tell them this? what happens when we no find a new vuln on their machine.. is this some something they should resolve? maybe we can have a ticket for it like Bugilla or CRM?) If NTO have used FS's code (and erm.. well, I know what it feels like to write code, and have it owned by other people who dont even know what it does or what "technology" is behind it, but I'll ignore that for the sake of the argument FS are making). If NTO have used this (FS code), then sure, FS will make an action.. but NTO are releasing specific tools as opensource AFAIK, thus a quick look should surely settle this matter on wether they have "stolen" this from FS. FS do not want this release to happen, because they fear the people that worked on FScan, might actually be able to produce something, that is as good, or better than what FStone have right now. They might do this by using other technologies, incorporating new ideas, or simply taking away learnt mistakes made in FScan. It appears then, if they (FS) stop NTO right now, it eliminates any possibility of competition through innovation of others, becase FS will now claim anything related to scanning as innertly their own creation through derived works! If that actually happens, then it means that ALL MVA companies can be held actionable against by FS, because their is no claim on propriety technology per se as everything mentioned above can be shown publicly available, and is definately a basis for the entire MVA industry. The action is on supposed propriety concepts inherint to the concept of "what MVA and scanning is"! FS own portscanning and OS Fingerprinting now? ] -- Silvio